Back to The Local Vocal
Help & glossary

Making sense of The Local Vocal

Every alert is tagged with a risk level, one or more threat types, and where you'd encounter it. Here's what each label means.

Risk levels

High

A serious, active threat. It's likely you'll come across it, and it can cause significant harm — financial loss, a data breach, or a hijacked account. Treat it as urgent and act now.

Medium

A real threat that's circulating and could catch people out, with meaningful disruption or loss if it succeeds. Stay alert and make sure your team knows about it.

Low

Worth knowing about, but either unlikely to reach you or limited in impact if it does. Good background awareness rather than an immediate worry.

Risk reflects a blend of how likely you are to encounter something and how much harm it could do — our team sets it for every alert.

Threat Type — the harm

What the attack is ultimately trying to do to you. The Local Vocal uses twelve curated categories.

Account Takeover
An attacker gains control of a legitimate account — email, Microsoft 365, banking or SaaS — then uses that access to steal data, move funds or launch further attacks from inside.
Adware
Software (often bundled with free downloads or delivered via malvertising) that forces unwanted ads, hijacks browser search or tracks your browsing habits. Rarely destructive on its own, but a strong signal the device has been compromised.
Data Breach
Unauthorised access to or disclosure of confidential information — customer records, credentials, financial data or intellectual property. Often the end goal of an account takeover, ransomware attack or supply-chain intrusion.
Denial of Service
An attack designed to overwhelm a website, network or service so legitimate users can't access it (DoS / DDoS). Frequently used as extortion leverage — or as a smokescreen while another attack runs in the background.
Email Compromise
The attacker either impersonates or has taken over an internal mailbox and uses it to redirect payments, change invoice details, or extract sensitive information from colleagues and suppliers.
Malicious Link
A URL crafted to steal credentials, harvest data, or silently install harmful software when a target clicks it — typically embedded in a phishing message, SMS or ad.
Malware
Umbrella term for any malicious software — trojans, worms, viruses, keyloggers, remote-access tools, botnet clients. Can be delivered by any vector (email attachment, USB, drive-by download, supply-chain update).
Phishing
Fraudulent messages that trick you into revealing passwords, card details or other information by pretending to come from someone you trust (bank, IRD, Microsoft, colleague).
Scam/Fraud
Deception designed to trick you out of money, goods or services — invoice fraud, fake refunds, tech-support scams, romance/investment schemes and similar.
Social Engineering
Manipulation of people — through urgency, authority, sympathy or trust — into acting against their own interest (approving an MFA prompt, sharing a code, transferring funds).
Spyware
Malware that silently monitors what you do — keystrokes, screen contents, camera/microphone, browser sessions — and exfiltrates it to the attacker. Common tool for stealing banking credentials and live MFA codes.
Ransomware
Malware that encrypts your files and demands payment for the decryption key. Modern variants also steal data first and threaten to publish it (double-extortion) whether you pay or not.

Encountered Via — where you'd meet it

The channel a reader would first encounter this threat. One of nine taxonomies.

Email
The threat first reaches you in your inbox — a message, link or attachment designed to trick, infect or defraud you.
Social Media
The threat first surfaces on a social platform (Facebook, Instagram, LinkedIn, TikTok) — usually as a fake ad, sponsored post, impersonated brand page or a DM from a compromised contact.
Sign-ins
The threat targets your login screens directly — automated password-guessing, credential stuffing, MFA-fatigue prompts or infrastructure probing against Microsoft 365 / Google Workspace / VPN portals.
Website / Web search
The threat is discovered by browsing or via a search engine — a poisoned result, malicious ad, fake support number, or a look-alike company page that ranks alongside the legitimate one.
SMS / Text
The threat arrives by text message — a fake courier notice, bank alert, IRD refund or MFA prompt that links to a scam page (sometimes called "smishing").
Phone call
Voice-based social engineering — tech-support scams, spoofed bank fraud calls, IRD impersonation, or robocalls that pressure you into paying or handing over codes.
Application
A software vulnerability being actively exploited in a product your business uses — anchored by a specific CVE (Common Vulnerabilities and Exposures) identifier so you can look up and patch it.
Supply chain
Attackers reach you through a trusted upstream vendor or software update pipeline. You're not the direct target — a supplier is — but the compromise flows downstream to your systems.
Removeable media
Malware carried on USB sticks, SD cards or external drives — the classic "lost USB in the carpark" or infected vendor drive. Bypasses email and web defences entirely.

Reading a threat card — the technical detail

Some alerts include structured evidence. Here's what each of those panels means.

Email authentication (SPF / DKIM / DMARC / COMPAUTH)

SPF (Sender Policy Framework)
Checks whether the email came from a server the domain owner authorised to send on their behalf. A Fail means the sender isn't on the approved list — a strong sign of spoofing.
DKIM (DomainKeys Identified Mail)
A cryptographic signature proving the message really came from the claimed domain and wasn't tampered with in transit. A Fail means the signature is missing or invalid.
DMARC (Domain-based Message Authentication)
Ties SPF and DKIM together and tells the receiving server what to do when a message fails — reject or quarantine it. A Fail means the message didn't meet the domain's own policy.
COMPAUTH (Composite Authentication)
Microsoft 365's overall verdict, combining SPF, DKIM, DMARC and its own signals. A Fail is Microsoft's summary judgement that the sender couldn't be trusted.

Domain checks

Sender / From domain
The domain the message claims to come from. Attackers often use look-alike domains (e.g. ird-refunds.co instead of ird.govt.nz).
Reply-To domain
Where a reply is actually sent. If it differs from the From domain, replies can be quietly routed to the attacker's inbox.
Newly registered domain
A domain created very recently (within ~90 days). Legitimate businesses rarely email you from a brand-new domain — scammers register throwaway ones constantly.

Domain / IP reputation

Abuse score
A 0–100 rating of how often an IP address has been reported for malicious activity (from sources like AbuseIPDB). 0–24 is low, 25–74 is elevated, and 75–100 means the address is a known, heavily-reported source of attacks.
ISP (Internet Service Provider)
The network that carried the traffic — Cloudflare, Spark NZ, Linode, etc. Identifying the ISP tells you whether the attack came from consumer broadband, a data-centre, a mobile carrier, or a bulletproof host.
ISP function
What the ISP does — Hosting provider, Residential broadband, Carrier-grade NAT, VOIP wholesale. This context matters: a hosting provider IP acting as a mail sender is far more suspicious than the same IP from a residential connection.
ISP reputation
A qualitative assessment of the ISP's history — clean, mixed, historically high abuse, or bulletproof host (a provider that deliberately ignores abuse complaints). When we don't have a confident signal, this field reads "Reputation Unknown".

Targeted app

Targeted app
The specific service the attackers are trying to break into — for example Microsoft 365, Outlook Web or a banking portal. Knowing the target tells you exactly where to tighten protection (e.g. enforce MFA on that service).

Sign-in attacks & mitigations

Sign-in attack
Repeated attempts to log into your accounts. We classify the pattern and recommend the most effective way to shut it down.
Attack profile
The key facts about the attempts — the auth method used, the main reason logins failed, how many attempts there were, and how many accounts were targeted.
Recommended mitigations
The specific policy changes (like enforcing MFA number-matching, blocking legacy protocols, or tightening Conditional Access) that best neutralise the pattern we detected.

Where our information comes from

Every alert is grounded in first-hand data from the systems we manage, cross-checked against trusted New Zealand and international security sources.